We have approximately 20 internet connected virtual machines, and just noticed that hackers are trying to brute force SSH port 22. They are trying common usernames (root, mysql, admin) and dictionary attacks.

We know one counter-measure is to run SSH on a different port, but that is not an option (must run on 22). Also, we know that disallowing passwords (only public-keys) is another counter-measure, but again, we require the ability to use password authentication.

Is there a package that can ban/block an ip-address if it tries to SSH incorrectly X number of times in a given interval?

Would be optimal if it could block for say 12 hours if 5 incorrect logins in a span of 1 minute.

3 Answers
3

I use the CSF (ConfigServer Security & Firewall) scripts, which not only includes IP filtering, but also a plethora of other functionality. It integrates with IP Tables nicely. I run, manage, and configure it from the command line, but for folks who have cPanel, it can also be installed via WHM's GUI.